The Supreme Court heard oral arguments this week in Van Buren v. United States, which asked the nine Justices to interpret the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030. The CFAA was enacted in 1986, just two short years after Apple introduced the first Macintosh computers for home use. It imposes civil and criminal liability for unauthorized access of computers. Nathan Van Buren, a former Georgia police officer, asked the Court to interpret two provisions of the CFAA. The first, 18 U.S.C. § 1030(a)(2)(C) prohibits users of computers owned by others from “exceed[ing] authorized access.” The second, § 1030(e)(6), defines “exceeds authorized access” to mean accessing a computer “without authorization,” and “using such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.”
Mr. Van Buren was authorized to search computerized license plate records for law enforcement purposes. During a sting operation, Mr. Van Buren ran a license plate search for a friend who turned out to be an FBI informant who offered him money for the search. The Department of Justice charged Mr. Van Buren with computer fraud under the CFAA, and wire fraud under another federal statute. A jury convicted Mr. Van Buren of both counts. The United States Court of Appeals for the Eleventh Circuit vacated the conviction for wire fraud, but upheld the conviction under the CFAA. The Eleventh Circuit cited its own earlier precedent holding that a person “exceed[s] unauthorized access” to data when he or she accesses it for a prohibited use, even if he or she is authorized to access it for other purposes.
Van Buren is just one of a series of opinions that have split the Circuit Courts over how the interpretation and application of the CFAA to individuals who are authorized to obtain information from a computer for some purposes, but not for others.
Mr. Van Buren argued to the Supreme Court that the CFAA only applies if a defendant obtains information that he was not under any circumstances entitled to obtain. In other words, the CFAA does not prohibit misuse of authorized access. Any other reading, Mr. Van Buren argued, could criminalize everyday activities that might violate purpose-based restrictions. For example, taking Mr. Van Buren’s analysis to a logical conclusion, an employee who obtains data for personal use from a work computer in violation of the company might face liability under the CFAA.
By contrast, the United States government argued that the plain meaning of “obtain[ing] information in the computer that the accesser [sic] is not entitled so to obtain” includes obtaining information for an unauthorized purpose. The government argues that to be “entitled so to obtain” information, the person must have been “granted a right to do it in a particular matter or circumstance.”
Several leading cybersecurity experts and think tanks filed briefs of amici curiae, arguing that upholding Mr. Van Buren’s conviction under the CFAA would create precedent that criminalizes innocent and beneficial acts, such as cybersecurity research aimed at identifying vulnerabilities in networks, hardware, and websites.
The Justices’ comments during oral arguments on Monday, November 30, demonstrated their appreciation that their opinion will have far-reaching practical implications for personal data privacy. Justice Clarence Thomas asked whether Van Buren’s concerns over criminal liability for everyday innocuous conduct had ever actually played out in the real world. Mr. Van Buren’s counsel cited United States v. Drew, in the Central District of California, in which the government charged a defendant under the CFAA for accessing another person’s MySpace account, and Ticketmaster L.L.C. v. Prestige Entertainment West, Inc., in which Ticketmaster sued a user for unauthorized use of Ticketmaster.
Justices Sonia Sotomayor and Elena Kagan focused on the apparent ambiguity that the use of a single word—“so” —has created in the definition of “exceeds authorized access.” For example, Justice Sotomayor offered the government a hypothetical:
“Imagine a law that says anyone who drives on Elm Street who is not authorized so to drive shall be punished. The ‘so to drive’ … could mean if you’re not authorized to drive on Elm Street. But under [the DOJ’s] theory, it could be, and might very possibly be read as saying ‘you can’t ride on Elm Street if you’re driving on it with an illegal purpose, you’re speeding, you’re breaking the law on curfew, you’re texting. So to me, if all you’re relying on is the word ‘so,’ I don’t get around the ambiguity…”
Justice Kagan appeared to agree with Justice Sotomayor, “So then the question is, what does ‘so’ mean? … If I understand [Van Buren’s] argument, he says ‘so’ means by accessing a computer. And [the government] just said ‘so’ means by using your access…[W]hy is it that we should pick [the government’s] choice of the prior reference rather than [Van Buren’s] choice of the prior reference?” Justice Kagan also pointedly asked the government, “[Y]ou would concede, wouldn’t you, that if the word ‘so’ wasn’t there, you would lose this case?”
In closing, Justice Neil Gorsuch noted that the government’s argument was consistent with what Justice Gorsuch perceives to be the government’s attempt to expand its federal criminal jurisdiction, which the Court has repeatedly rebuffed. Justice Gorsuch cautioned that the DOJ’s reading of the statute might make a federal criminal of us all.”
Because of the massive amounts of data and information that are literally at all of our fingertips, and the potential for drastic changes to U.S. cybersecurity law, Van Buren is certainly a Supreme Court case to watch in 2021.